Friday, August 28, 2009

During examination of a Mac Laptop, I located a file similar to winxp.hdd.0.{5fbfaae3-6747-49ff-82a7-750e329bcb51}.hds. Further digging revealed that Parallels Workstation was installed and used on this computer and virtual machines have been later deleted. I found a good link that explains how to deal with .hds files. I then searched for .pvs files and DiskDescriptor.xml and was lucky to find a couple of DiskDescriptor.xml files. On of these files contained GUID 5fbfaae3-6747-49ff-82a7-750e329bcb51 and stated that the virtual disk is compressed. The rest was easy. I renamed winxp.hdd.0.{5fbfaae3-6747-49ff-82a7-750e329bcb51}.hds to winxp.hdd, went to Start -> All Programs -> Parallels and fired up Parallels Image Tool which was installed by default together with Parallels Workstation. With this tool I converted winxp.hdd to plain hard disk image, which took only a few minutes.

I then used my favorite free tool called ImDisk to mount the converted hard disk image. Default settings worked fine and ImDisk was able to mount 'converted.hdd' file in read-only mode.

Edit: The new version of Parallels Image Tool uses a little bit different GUI. Converting to the plain format is now done by going to "Manage disk properties" option. The quote "The perfect is the enemy of the good." from Voltaire's Dictionnaire Philosophique (1764) is quite relevant in this case because the latest version may not always successfully convert "old" HDS files, so do not yet through away/uninstall your old version of Parallels.

Saturday, August 15, 2009

Analysing VirtualBox VDI files can be sometimes tricky. It is not a problem when VDI file has header type 2, which means that you are dealing with a fixed disk. Searching for partitions with forensic tools such as EnCase or my all times favourite X-Ways Forensics makes the examination no different to examining ordinary dd or E01 files. MakeSparseVDI that comes with VirtualBox can parse information from the VDI header and partition table. This information can be used to mount fixed VDI files with ImDisk, normally by pointing it to the partition start, which is usually located at offset 73728.

The old version of VirtualBox used to have a nice utility called vditool that could carve out the raw disk image. There is a good write-up in 'Forensic Incident Response' blog about VirtualBox analysis. There were several updates since that time and vditool is no longer present and has been replaced with VBoxManage. The later can convert raw images to VDI but not the other way around. (As it turned out this is not the case. See below for details. VirtualBox help doesn't have this inforamtion. This site is more useful .)

Dynamic disks have value 1 at offset (decimal) 76 and they are not so easy to work with. Unlike flat volume images (fixed disks), dynamic disks cannot be mounted with the above mentioned tools. The only tool/method that worked for me was WinMount. It mounted VirtualBox dynamic disks with no problems. The tool has read-only option that is enabled by default in WinMount V3.2. It also capable of mounting VHD (Virtual hard disk) and VMDK (VMWare), comes with 30 days trial period and cost $61.24 AUD.

/dev/mem is now protected by default. "The CONFIG_STRICT_DEVMEM kernel option was introduced to block non-device memory access."

/dev/kmem is disabled by setting CONFIG_DEVKMEM to 'n'.

RAM acquisition via FireWire option looks really attractive now. There are two topics however that I am not prepared to discuss in this blog, and these topics are FireWire RAM acquisition and Encryption.

"The digital security field is incredibly complicated and anyone who claims to be a master of the entire field is a fool. In fact, mastery of any single subject might require such narrow focus as to be of little relevance to the remainder of the field. Those who are most successful have carved some niche out of the security landscape, but still understand the rest of the arena."

Tuesday, August 4, 2009

Using your mobile on a plane may not be an issue in the near future as more airlines allow its passengers to make and receive calls during flights. However, the opposite might also be true when it comes to having your mobile phone switched on during search warrants or incident responses.

Almost all latest mobile phone models now come with Wi-Fi and/or Bluethooth capabilities. These phones are often used by incident responders and digital forensic specialists, who attend search warrants or scenes of crime. Given the fact that it is almost impossible to find a laptop or desktop computer used by suspects without some kind of wireless network device built in or connected to it, the potential for accidental digital contamination should not be underestimated. Your Wi-FI or Bluetooth enabled phone could potentially be detected by the suspect's laptop and later you may find your mobile device network name (or even worse - your own name) logged by the suspect's machine.

Furthermore, Google Sync, SyncJe, the Missing Sync and many other mobile phone applications are capable of wirelessly synchronising iPhone, BlackBerry, Windows Mobile and some Nokia and Ericson standard phones with the base computer. The items that normally got synchronised are contacts, calendars, email account settings, webpage bookmarks, notes, music and photos. Theoretically, depending on set preferences these items may get automatically synced between your mobile device and the suspect's computer "if care is not taken to ensure that the investigator's devices have had their wireless functions disabled prior to approaching a suspect's device..." [Angus M. Marshall]

I am just wondering how many organisations/practitioners have implemented safeguards/policies that are dealing with the issue. I am adding a poll to my blog that will run for a couple of weeks, so please take you time to answer the question.

Does your organisation have a policy mandating wireless devices off during forensic examination?

Search other Digital Forensics blogs

About Me

Forensic Technology professional with diverse international experience managing and conducting Digital Investigations in both large and small organisations. A passionate computer security and digital forensics professional.

Disclaimer

This blog is intended for my digital forensic needs and shared with everyone interested to make our world a little bit safer. This is a personal weblog. The opinions expressed here represent my own and not those of my employer.
While all reasonable attempts have been made to ensure the accuracy of information on this blog, neither myself nor the blog’s contributors can be held responsible for any errors, inaccuracies, or incomplete information contained therein.
I reserve the right to correct, change, or update any information on this blog at any time without prior notice.